This is just a hypothetical question that an IT guy posed to me at work when I told him I was using Webroot to protect my home PC.
Can someone with a good knowledge of Webroot explain how it would clean up a piece of nasty ransomware that it didn't catch and let slip by? For argument's sake, assume that the ransomware has locked up the PC and the Webroot GUI cannot be accessed.
My thinking is that Webroot will eventually identify the ransomware on its own (working in the background via the cloud while the PC is locked up) and clean up the infection automatically. Is that correct?
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
2.) WSA reports its findings and current status to their servers. If you contact Webroot support they can look at what your PC has reported, mark it as bad, and the next time WSA checks in with the servers it will remove it. As a business customer, I have this ability as well. I have done this exact procedure where I review suspicious files reported, marked them as bad, and 15 minutes later WSA removed the infection. Pretty neato.
3.) Webroot support to remove viruses that make it past protections is free, so you should open a support case or give them a call. In the meantime I would leave the computer off until you hear back from them.
You can find information about contacting them here:
Where can I get the .ISO?
Gorg, Rakanisheu is talking about a Linux boot cd we use sometimes for non-booting systems. There's nothing particularly unique about it except it comes pre-loaded with remote access capabilities for our technicians to help get the computer back in working order. It's something we send out only on an as-needed basis, which is pretty rare these days.
At what point would webroot stop this activity and how would it deal with the encrypted files, if any? Apparently the latest iteration does any shares you are mapped to with permissions as well.
In a nutshell, are webroot users protected and if they get infected can webroot roll it back, encrypted or not? I want to be able to assure our clients they are covered.
Some info on this nasty piece of code
This type of malware is a much bigger issue in a corporate enviroment. In the case I saw it wasnt helped by extremely loose internal IT policies in said corporate enviroment.Managed to stop any spreading of the infection but one desktop was a write off (ie a format).
In my opinion from back when I used be in IT I would have auto-run disabled, users wouldnt have any write access to coroporate network shares, external USB devices were banned, optical drives disabled. The only write access was to a small network share that would be periodically wiped (for security reasons). Email attachements were limited to certain file types, users were only given limited user accounts too. I think in todays world with the advanced malware going around we have to do everything we can to limit the number of entry points.
This ransomeware is giant pain as unless you have access to a large number of supercomputers using brute force over a long persion to crack the key! We have a team working on this as we speak. At the moment thankfully we arent seeing many cases of this as we are catching a large number of this before it can execute.
In the end it comes back to that old computing mantra that seems seems to have been forgotton
BACKUP BACKUP BACKUP and do it regularly!
Take for example the company where there are only a couple people all partners or owners - who by default use their own machines for their business and do not have a central server. One can't write protect files on a local machine for these folks, nor can we wipe it weekly for security purposes. They often use dropbox or the like to share files, and controls are seriously lacking in that application, business version or not. Having them logon as a standard user and not local admin helps in many cases, but not with this ransomware. And try enforcing that type of logon, almost impossible.
Another situation is where contractors work for the company using their own machine and are not on a network, but on work sites all around the world, where we have even less control, it gets very grey here, what can the company enforce on its contractors - have AV and firewall, yes, but past that - not much. Surf out a proxy, sure. Does that help, maybe a bit but the baseline fundamental controls (user privilege, access, filtering, file level security) are difficult if not impossible to enforce.
What it boils down to is putting tools in place like an AV and firewall the end user can't mess with, then trying to convince the user to back up to a remote location or a temporarily attached device daily - and hoping they do it. We all know how well that works.
Ransomware and especially CryptoLocker is really quite a hot topic!
I have good news to all of you: according to Webroot they CAN revert back the encryption CryptoLocker would do on your system - but, of course, only if WSA was running when the ransomware hit the machine.
Another requirement is that you must have WSA v184.108.40.206+ software running on your system.
Should you be interested in details, you may want to sing up for this webinar: http://bit.ly/1b0f8Al
PS. we are going to test the remediation process in our lab this week with some CryptoLocker sample.....